[14308] in bugtraq
Bypassing IP filters in Bordermanager 3.5
daemon@ATHENA.MIT.EDU (Roy Sigurd Karlsbakk)
Thu Mar 16 22:27:15 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF8E77.ACC2AF00"
Message-Id: <51313828EB3CD211A49A006097AD457E0EA527@INFOSYS>
Date: Wed, 15 Mar 2000 13:11:59 +0100
Reply-To: Roy Sigurd Karlsbakk <roy.karlsbakk@A-TEAM.NO>
From: Roy Sigurd Karlsbakk <roy.karlsbakk@A-TEAM.NO>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF8E77.ACC2AF00
Content-Type: text/plain;
charset="iso-8859-1"
After having sent this to Novell (dated 8. Feb 2000) and still missing the
answer, I find it appropriate to post this here:
Problem:
In a recent security check/penetration test at a quite large customer in the
Oslo area, I was able to bypass the IP-filter in BorderManager 3.5 and ping
any host behind it. Although being able to solely ping through isn't a huge
problem, but I fear the security hole can be dug larger. The interface on
"my" side of the firewall had one filter rule: "DENY ANY:ANY"
How:
After several traditional TCP and UDP scans, I found no way to bypass it.
After that, I tried fragmented SYN, NUL, FIN, ACK, and Xmas-tree scans
resulting in some strange error allowing me to ping any hos behind the
filter. The problem disappeared after a unload/reload of IPFLT.NLM. I was
able to reproduce the problem, although it doesn't seem like it is dependant
on a specific attack sequence. The result was IPFLT.NLM (or something
related) eating a huge amount of memory, thereby chrashing the server.
After the server came up, I managed to reproduce this without chrashing the
server. I found no real pattern in what to do to break through - just
stressing it enough seemed enough.
Novell has later released a patch towards the port 2000 DoS-like attack, but
I haven't been able to test if this solves the leak problem.
Installation:
NetWare 5sp4
BorderManager 3.5sp1
Tools:
Linux 2.3.42 http://somewhere/
nmap 2.3 Beta 13 http://www.insecure.org/nmap/
Roy Sigurd Karlsbakk <roy.karlsbakk@a-team.no>
A-Team Norge as
------_=_NextPart_001_01BF8E77.ACC2AF00
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2448.0">
<TITLE>Bypassing IP filters in Bordermanager 3.5</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Arial">After having sent this to Novell =
(dated 8. Feb 2000) and still missing the answer, I find it appropriate =
to post this here:</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Problem:</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">In a recent security =
check/penetration test at a quite large customer in the Oslo area, I =
was able to bypass the IP-filter in BorderManager 3.5 and ping any host =
behind it. Although being able to solely ping through isn't a huge =
problem, but I fear the security hole can be dug larger. The interface =
on "my" side of the firewall had one filter rule: "DENY =
ANY:ANY"</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">How:</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">After several traditional TCP and UDP =
scans, I found no way to bypass it. After that, I tried fragmented SYN, =
NUL, FIN, ACK, and Xmas-tree scans resulting in some strange error =
allowing me to ping any hos behind the filter. The problem disappeared =
after a unload/reload of IPFLT.NLM. I was able to reproduce the =
problem, although it doesn't seem like it is dependant on a specific =
attack sequence. The result was IPFLT.NLM (or something related) eating =
a huge amount of memory, thereby chrashing the server.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">After the server came up, I managed to =
reproduce this without chrashing the server. I found no real pattern in =
what to do to break through - just stressing it enough seemed =
enough.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Novell has later released a patch =
towards the port 2000 DoS-like attack, but I haven't been able to test =
if this solves the leak problem.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Installation:</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"> NetWare 5sp4</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"> BorderManager 3.5sp1</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Tools:</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"> Linux 2.3.42 =
<A =
HREF=3D"http://somewhere/" =
TARGET=3D"_blank">http://somewhere/</A></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"> nmap 2.3 Beta =
13 <A =
HREF=3D"http://www.insecure.org/nmap/" =
TARGET=3D"_blank">http://www.insecure.org/nmap/</A></FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Roy Sigurd Karlsbakk =
<roy.karlsbakk@a-team.no></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">A-Team Norge as </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF8E77.ACC2AF00--
